How Situational Awareness Informs Cybersecurity Operations
Cybersecurity operations are applied principles, processes, and technologies that defend an information environment against threats. Situational awareness (SA) helps decision makers throughout an organization have the information and understanding they need to make sound decisions about cybersecurity operations as they defend their organizations from the increasingly dangerous cyber threats that are prevalent today.
The concept of cybersecurity operations encompasses all of the topics we have covered in our recent posts about network situational awareness. The term "cybersecurity operations" refers to a set of capabilities and functions rather than to a specific organization, such as a security operations center (SOC). Organizations that do not have an SOC can and do still perform cybersecurity operations if they have capabilities for monitoring and response, vulnerability management, digital forensics, malware management, or cyber-threat intelligence (CTI). In this blog post, I review and provide examples of how to use SA in cybersecurity operations.
In Situational Awareness for Cybersecurity: An Introduction, my colleague Angela Horneman defined these four key components of SA:
- Know what should be.
- Track what is.
- Infer when should be and is do not match.
- Do something about the differences.
Focusing on these components enables those working in cybersecurity operations or related roles to prioritize assets that support business and mission functions. Table 1 below uses example work roles from NIST's Workforce Framework for Cybersecurity (NICE Framework) to illustrate how each role applies SA to prioritize actions and activities.
|Work Role||SA for Role|
|Cyber defense analyst||Triage, investigation, analysis, and escalation are all influenced by SA of all the systems and functions involved in carrying out the mission of the business or organization.|
|Cyber defense incident responder||SA is needed to know whether systems involved in an incident are mission critical and what impacts disruption to those systems could have. Some incident-response actions are driven by the criticality or type of system and functions it performs. Incident responders must also understand their authorities and proper channels for coordination.|
|Threat analyst||Understanding the mission provides context to identify and prioritize threats that could disrupt or degrade the mission.|
|Cyber defense forensic analyst||A good forensic analysis requires SA of how a nominal system exists to contrast with a system that has been compromised or damaged, or functions disrupted.|
|Security architect||SA gives architects information needed to build protections into the designs for mission operations and systems.|
|Cyber legal adviser||Legal advisers are sometimes consulted as a part of cybersecurity operations and need to understand both their area of the law and the business environment to properly advise personnel in roles such as forensics or privacy.|
|Privacy officer||Privacy officers use SA of the organization and its mission to protect employees, customers, and partners. Performing cybersecurity operations while protecting privacy is a good example of conflicting interests between network visibility and privacy.|
Cybersecurity operations produce SA for the above roles and consume SA from them. Operations also produce SA for and consume SA from the larger organization and outside groups. For example, discovery of new malware may lead to a submission to notify an anti-virus vendor, which produces signatures that then get consumed by the enterprise. Finding the malware was the result of finding a notable difference between what should be and what is in the enterprise and inferring when should be and is do not match. Submitting the malware and getting new signatures back to prevent it from executing is one resolution (do something about the differences), while automating forensic and rebuild processes for an infected system could also contribute to an efficient resolution. Results and lessons learned will inform and update understanding of what is and what should be to increase SA in the future.
SA can also inform all five functions of the NIST Cybersecurity Framework (identify, protect, detect, respond, recover), and the results are then incorporated into cybersecurity operations' SA.
Using SA for Cybersecurity Operations
Organizations apply people, processes, and technologies to conduct cybersecurity operations in many different models, from a traditional SOC to heavily automated engineering operations, such as DevSecOps. Cybersecurity operations reach across an organization's units, including business operations, information technology (IT), legal, and more. Regardless of these variables, cybersecurity operations benefit from SA and then provide better SA for business decisions in return.
In Situational Awareness for Cybersecurity: Assets and Risks, Angela Horneman wrote about using SA to categorize and catalogue assets during the ongoing assessment of risk. Cybersecurity operations use SA to reconcile asset discrepancies, identifying assets that are not catalogued or that are improperly categorized. Ideally, incorrectly configured systems and services, unauthorized systems and services, and malicious activity will be identified as part of this process. Cybersecurity-operations capabilities also typically include vulnerability management, which can help to inform risk assessments.
In Situational Awareness for Cybersecurity: Three Key Principles of Effective Policies and Controls, Angela wrote about how effective policies and security controls improve SA and directly benefit security operations. The three key principles to improve policies for SA are the following:
- Well-constructed, comprehensive policies help, while vague policies do not.
- Detailed policies document business needs and let analysts rely less on inference and anomalies.
- Security controls should be documented and available so that cybersecurity operations can verify that controls are working.
These principles are exemplified even in the case of more advanced functions, such as threat hunting, which entails a proactive search for activity instead of reliance on threats to reveal themselves through traditional alerting and logging. Policies can provide threat hunters with a starting point to help identify what threats will easily blend into acceptable uses or services, as opposed to specific tactics, techniques, and procedures (TTPs) that are less likely to blend into acceptable activity. Depending on the threats, policies and controls can apply to either acceptable or unacceptable activities, or to both.
In Engineering for Cyber Situational Awareness: Endpoint Visibility, Phil Groce wrote about various options for endpoint visibility. Where data is analyzed--on the endpoint or in a central location--affects cybersecurity operations. Cybersecurity operations should be informed by what options for endpoint visibility the organization is currently using, but it should also identify gaps in collection or ways to reduce the amount of data collected by eliminating unused or redundant data. Endpoint visibility can improve the efficiency of the NIST Cybersecurity Framework detect and respond activities, from the most basic functions all the way through the activities of advanced threat-hunting teams.
Each type of visibility afforded by SA offers different capabilities. Network visibility traditionally has collected a few main types of information:
- session or network-flow metadata
- intrusion detection/prevention systems (IDS/IPS)
- network packet captures (PCAP)
- other metadata from packet inspection of email, HTTP, or DNS
All these capabilities have been limited in the past decade by the increasing use of encryption with popular communication and networking technologies, such as HTTPS, DNS over HTTPS, DNS over TLS, StartTLS for SMTP and IMAP, and more. The use of encryption changes the cost-benefit analysis of different types of security monitoring and influences security architectures. However, any system online that is making or receiving connections will reveal some type of metadata that can contribute to SA even when the connections are encrypted, so some amount of network visibility is still useful.
Tools for monitoring and response are used to help analyze data collections, respond to identified issues, and document analysis, issues, and response. These tools are one of the primary means for converting all the data and information collections into SA, particularly the third and fourth SA components of identifying and resolving differences between what should be happening and what actually is happening. Depending on context and other factors, some analysis, response, and documentation can be automated; one measure of the maturity of cybersecurity operations is the amount of repetitive work that is automated rather than conducted manually.
Important Factors in Cybersecurity Operations and SA
As I already wrote, one of the crucial factors in proper SA for cybersecurity operations is to understand the business--or in the case of government and military, the mission--of the organization. This understanding includes business use cases or mission threads, the mission of the cybersecurity operations team(s), what they are responsible for defending, the different capabilities and functions of the cybersecurity team(s), and other overall understanding of what cybersecurity the business needs to reduce risk, be successful in achieving cybersecurity goals, and avoid excessive hampering of business functions through overzealous security.
Cybersecurity operations should provide the system or service owners and others in the organization with the SA needed to make risk and cybersecurity decisions. In cases such as incident management, the cybersecurity-operations organization may have authority over immediate actions, but well-constructed policies provide the SA needed to determine if cybersecurity operations have authority in specific contexts and situations. If the policy is vague, there will be questions or conflicts over authorities related to incident response, while a good policy will make authorities and responsibilities clear.
Forthcoming Research on Cybersecurity Operations
In the future, we plan to conduct research related to cybersecurity operations and situational awareness, as well as modeling of those areas to help with security architecture. This research may investigate models and frameworks for defensive cybersecurity operations that can be tailored and applied to many environments or organizations, from traditional SOCs to cloud-first security-engineering operations using "SOC-less" models.
Read other SEI blog posts about network situational awareness.
Read the first blog post in this series on network situational awareness, Situational Awareness for Cybersecurity: An Introduction.
Read the second post in this series, Situational Awareness for Cybersecurity: Assets and Risk.
Read the third post in this series, Situational Awareness for Cyber Security: Three Key Principles of Effective Policies and Controls.
Read the fourth post in this series, Engineering for Cyber Situational Awareness: Endpoint Visibility.
Read the fifth post in this series, Situational Awareness for Cybersecurity Architecture: Network Visibility.
Read the sixth post in this series, Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response.
Read the seventh post in this series, Situational Awareness for Cybersecurity Architecture: 5 Recommendations.
Read the eighth post in this series, Is Your Organization Using Cybersecurity Analysis Effectively?