Situational Awareness for Cybersecurity: An Introduction
Situational awareness (SA) helps decision makers throughout an organization have the information and understanding available to make good decisions in the course of their work. It can be focused specifically on helping people and organizations protect their assets in the cyber realm or it can be more far reaching. SA makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help people make better decisions. This blog post is the first in a series that explores the concepts of cyber SA as they apply to the enterprise.
Protecting Organizational Assets
Even the smallest organizations have many assets that they must protect from cyber threats. In an understaffed, underfunded, and over-compromised environment, prioritizing protections for certain assets is a necessity. Prioritizing must occur in
- security hardening of individual devices and specific network segments or business units
- responses to compromises
- hiring for specific roles
Organizational assets exist to enable the organization to conduct its day-to-day activities. Prioritization for protecting those assets should correspond to the criticality and legal ramifications of the business functions that the assets support. For this information to influence the setting of priorities, security practitioners must be able to map assets to the business functions that they support, as well as understand the criticality of those functions.
Neither prioritization nor effective protection can occur without first understanding what you are protecting, why, from what, and how your assets already are or are not protected. The "what" portion of this information requires construction and maintenance of detailed asset lists. The rest of the information is obtained by organizational context.
Policies and Governance
The backbone of asset protection is provided with good policies and governance. The organization's expectations and business needs dictate what activities are security issues. The tighter the rules, the easier it is to detect a breach of them and the easier it is to prevent a breach in the first place. However, policies and needs must be made accessible to security practitioners to effect detection and prevention. Access to and understanding of the information is necessary to accurately determine
- how to prevent security incidents and breaches
- when an incident or breach occurs
- how to respond to them
The better the understanding about how individual assets can be used, by whom, and when, the more likely it is that a breach can be prevented completely and the more quickly security breaches will be caught when they do occur.
Security functions represent the methods organizations use to protect their assets. Security functions encompass technical components, structured processes, and organic practices. They cover the full lifecycles for assets, protections, and events. These functions are often spread across multiple teams, but the information they each generate is necessary to inform other functions. The activities of security functions actively change the environment and consequently can affect the priorities and effectiveness of other functions, both security and business.
About Situational Awareness
There have been many descriptions of SA, from the four functions of perception, comprehension, projection, and resolution in the model first defined by Mica Endsley, to the OODA loop of "observe, orient, decide, and act." These models are good for understanding the concept of situational awareness, but their practical application to cybersecurity is not always evident.
In practical terms, we can think of situational awareness in terms of four components:
- Know what should be.
- Track what is.
- Infer when should be and is do not match.
- Do something about the differences.
Know What Should Be
Before we can understand the cybersecurity state of an enterprise, we need a good understanding of what should be going on in that enterprise. In particular, we need to know
- legitimate users of internal and public-facing systems and devices
- authorized devices and what they are used for
- approved processes and applications, where they are allowed, and how they serve the organization
The more precise the information available to security personnel is, the easier it will be for them to infer when there are security issues and to do something about them. Precise information means having well-defined security policies, effective access controls, up-to-date inventories, and detailed network diagrams. The challenge is that organizational information is often poorly documented, incomplete, or outdated. This situation leads analysts to infer information, through baselining for example, which at best provides only a semi-accurate picture of the organizational context.
Track What Is
Knowing what should be and knowing what is are different. The first is about gathering information on organizational intention (what organizations mean to allow to accomplish their goals). The second is about examining the enterprise for what is really going on. Security teams cannot directly monitor all of cyberspace; they must use various tools available to them to create visibility into the geographically scattered, and largely invisible, cyberspace arena. We will go into greater detail about how to achieve that visibility in future blog posts, but the general idea is to track
- observed devices, processes/applications, and users
- what known vulnerabilities exist for the observed devices, processes, and applications
- how usage of various systems and devices is changing
- what usage patterns and cycles exist for systems, devices, and users
The method here uses information from sensing points and integrates that information in a way that makes it useful to analysts supporting security functions to infer when should be and is do not match. However, the sensing architecture required for tracking activities is costly and resource intensive. Allowing processes and analysts to access and combine information effectively requires architecting a robust federated or distributed system for situational awareness.
Infer When Should Be and Is Do Not Match
A security issue occurs when something happens that shouldn't, e.g., a device is accessed by an unauthorized individual, a recording device is set up to tap a network, a cryptominer is run on a web server, etc. Some of these occurrences are easy to detect if they are visible. For example, if security logging is enabled on a device, you can find when an unauthorized user ID attempted to access the device by looking at the security log. Or if all endpoint devices are supposed to use an internal domain name system resolver, any that don't can be found by logging and looking at network traffic that is leaving the enterprise.
Unfortunately, many of the security issues we are interested in require inference. For example, while security logging can track when a user ID successfully logs into a system, it cannot determine if the login is by the individual assigned to the user ID or if that user ID has been stolen. That determination requires inference, which is harder. Some methods of inference are
- direct policy violation
- deviations from historical data (significant changes in what is)
- unusual outliers showing up in outlier-detection analyses
- newness identification
- tactic, technique, and procedure (TTP) matching
We will expand on these ideas in future blog posts.
Actionable differences that should be addressed are not limited to security concerns; they include business and efficiency concerns as well. The challenge here is that analyzing all information from "track what is" against all relevant information from "know what should be" can be technologically impossible or practically infeasible. Deciding how to choose which subset of observations should be compared to what subset of context is a matter of priority and resources. It is therefore important that the available context, visibility, and resources accurately reflect business priorities.
Do Something About the Differences
It does not do any good to know what should be, track what is, or infer what should be if an enterprise does not plan to act on the knowledge it gains. Organizations will usually do something about things that they deem explicit security breaches. They clean up malware infections, investigate potential data leakage, and report stolen resources and personally identifying information. Organizations are less likely to do something about differences between what should be and what is if they do not believe that the differences represent a security incident. Such an oversight can make it harder to infer security events in the future. The more items that do not match what should be (i.e., approved users, devices, and usage), the more noise there is to clutter and interfere with inference.
Organizations must ensure that information about findings gets routed and resolved by the part of the organization responsible for the assets involved, and that they identify ways to prevent such issues in the future. They can do this by maintaining good communication channels throughout the organization and quickly communicating findings and contextual information and actionable intelligence to allow responsible parties to resolve issues when they arise. However, success requires organizational accountability, managed relationships, and clearly defined areas of responsibility. Organizational politics, turf wars, and unclear product and process owners often interfere.
Situational Awareness Process
Situational awareness is the process of getting relevant information from across the organization, integrating it into usable intelligence, and re-disseminating it out to help people throughout the organization make better decisions. Effective situational awareness requires
- people to provide effective communications across business units and the ability to analyze disparate information and make sense of it,
- technology to support collecting, analyzing, and storing large amount of data, and
- the ability to map subsets of observations with the corresponding subset of context in a way that matches priorities and makes the best use of resources.
Even in the best-funded, most mature organizations, there are information gaps in knowing what the current state is and what it should be. Effective situational awareness therefore requires an understanding of what augmenting data will allow practitioners to make competent inferences with the information they have and to understand the limitations of the inferences they are able to make.
The rest of this series of blog posts will go into more detail about other elements of situational awareness. We will write about the types of components for security monitoring and response, the basics of a cybersecurity architecture, methods of inference, and the future of cyber SA.
Read about the SEI's work in network situational awareness.
Read other SEI blog posts about network situational awareness.