search menu icon-carat-right cmu-wordmark

Subject: Network Situational Awareness

Is Your Organization Using Cybersecurity Analysis Effectively?

Is Your Organization Using Cybersecurity Analysis Effectively?

• SEI Blog
Angela Horneman

Cybersecurity analysis techniques and practices are key components of maintaining situational awareness (SA) for cybersecurity. In this blog post in our series on cyber SA in the enterprise, I define the term analysis, describe what constitutes a security problem that analysts seek to identify, and survey analysis methods. Organizations and analysts can ensure that they are covering the full range of analytical methods by reviewing the matrix of six methods that I present below (see...

Read More
Situational Awareness for Cybersecurity Architecture: 5 Recommendations

Situational Awareness for Cybersecurity Architecture: 5 Recommendations

• SEI Blog
Phil Groce

In this post on situational awareness for cybersecurity, we present five recommendations for the practice of architecture in the service of cybersecurity situational awareness (SA). Cybersecurity architecture is fundamentally an economic exercise. Economics is the practice of allocating finite resources to meet requirements. The goal of a cybersecurity SA architecture is to deploy your finite resources, such as equipment, staffing, and time, to enforce your organization's cybersecurity policies and controls. The endpoints on your network...

Read More
Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

Situational Awareness for Cyber Security Architecture: Tools for Monitoring and Response

• SEI Blog
Tim Shimeall

Visibility into the activities within assets enables network security analysts to detect network compromises. Analysts monitor these activities directly on the device by means of endpoint visibility and in the communications going to and from the device on the network. In our earlier blog posts on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility and network visibility. However, endpoint and network visibility will do little good if analysts don't have tools to...

Read More
Situational Awareness for Cybersecurity Architecture: Network Visibility

Situational Awareness for Cybersecurity Architecture: Network Visibility

• SEI Blog
Timur Snoke

Network compromises cannot be detected without visibility into the activities within assets. Network security analysts can view these activities in one of two places (or sometimes both): directly on the device by means of endpoint visibility and in the communications going to and from the device; in other words, on the network. In our earlier blog post on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility. In this post, we turn our...

Read More
Engineering for Cyber Situational Awareness: Endpoint Visibility

Engineering for Cyber Situational Awareness: Endpoint Visibility

• SEI Blog
Phil Groce

This post was co-written by Timur Snoke. In this post, we aim to help network security analysts understand the components of a cybersecurity architecture, starting with how we can use endpoint information to enhance our cyber situational awareness. Endpoints collect a wealth of information valuable for situational awareness, but too often this information goes underutilized....

Read More
Situational Awareness for Cybersecurity: Three Key Principles of Effective Policies and Controls

Situational Awareness for Cybersecurity: Three Key Principles of Effective Policies and Controls

• SEI Blog
Angela Horneman

Security measures are most effective when it is clear how assets are supposed to be used and by whom. When this information is documented in clearly written organizational policies, these policies can then be implemented in the form of enforceable security controls. In this third post in our series of blog posts on cyber situational awareness for the enterprise, I discuss how policies and controls contribute to asset protection and to the know what should...

Read More
Situational Awareness for Cybersecurity: Assets and Risk

Situational Awareness for Cybersecurity: Assets and Risk

• SEI Blog
Angela Horneman

This post was co-written by Lauren Cooper. When key business assets are not adequately protected from cybersecurity breaches, organizations can experience dire consequences. Lumin PDF, a PDF editing tool, recently had confidential data for its base of 24.3 million users published in an online forum. The personal data of almost every citizen of Ecuador was also recently leaked online. Data breaches exposed 4.1 billion records in the first six months of 2019, and data breaches...

Read More
Situational Awareness for Cybersecurity: An Introduction

Situational Awareness for Cybersecurity: An Introduction

• SEI Blog
Angela Horneman

Situational awareness (SA) helps decision makers throughout an organization have the information and understanding available to make good decisions in the course of their work. It can be focused specifically on helping people and organizations protect their assets in the cyber realm or it can be more far reaching. SA makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help people make better decisions....

Read More
12 Risks, Threats, & Vulnerabilities in Moving to the Cloud

12 Risks, Threats, & Vulnerabilities in Moving to the Cloud

• SEI Blog
Timothy Morrow

Organizations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud-adoption a central tenet of its IT modernization strategy. An organization that adopts cloud technologies and/or chooses cloud service providers (CSP)s and services or applications without becoming fully informed of the risks involved exposes itself to a myriad of commercial, financial, technical, legal, and compliance risks. In this blog post, we outline 12 risks, threats, and...

Read More
Improving Data Extraction from Cybersecurity Incident Reports

Improving Data Extraction from Cybersecurity Incident Reports

• SEI Blog
Samuel J. Perl

This post is also authored by Matt Sisk, the lead author of each of the tools detailed in this post (bulk query, autogeneration, and all regex). The number of cyber incidents affecting federal agencies has continued to grow, increasing about 1,300 percent from fiscal year 2006 to fiscal year 2015, according to a September 2016 GAO report. For example, in 2015, agencies reported more than 77,000 incidents to US-CERT, up from 67,000 in 2014 and...

Read More
Ransomware: Best Practices for Prevention and Response

Ransomware: Best Practices for Prevention and Response

• SEI Blog
Alexander Volynkin

This blog post is coauthored by Jose Morales and Angela Horneman. On May 12, 2017, in the course of a day, the WannaCry ransomware attack infected nearly a quarter million computers. WannaCry is the latest in a growing number of ransomware attacks where, instead of stealing data, cyber criminals hold data hostage and demand a ransom payment. WannaCry was perhaps the largest ransomware attack to date, taking over a wide swath of global computers from...

Read More
Best Practices for Network Border Protection

Best Practices for Network Border Protection

• SEI Blog
Rachel Kartch

When it comes to network traffic, it's important to establish a filtering process that identifies and blocks potential cyberattacks, such as worms spreading ransomware and intruders exploiting vulnerabilities, while permitting the flow of legitimate traffic. In this post, the latest in a series on best practices for network security, I explore best practices for network border protection at the Internet router and firewall....

Read More
Best Practices for NTP Services

Best Practices for NTP Services

• SEI Blog
Timur Snoke

The network time protocol (NTP) synchronizes the time of a computer client or server to another server or within a few milliseconds of Coordinated Universal Time (UTC). NTP servers, long considered a foundational service of the Internet, have more recently been used to amplify large-scale Distributed Denial of Service (DDoS) attacks. While 2016 did not see a noticeable uptick in the frequency of DDoS attacks, the last 12 months have witnessed some of the largest...

Read More
Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure

Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure

• SEI Blog
Mark Langston

The Domain Name System (DNS) is an essential component of the Internet, a virtual phone book of names and numbers, but we rarely think about it until something goes wrong. As evidenced by the recent distributed denial of service (DDoS) attack against Internet performance management company Dyn, which temporarily wiped out access to websites including Amazon, Paypal, Reddit, and the New York Times for millions of users down the Eastern Seaboard and Europe, DNS serves...

Read More
Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response

Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response

• SEI Blog
Rachel Kartch

Late last month, Internet users across the eastern seaboard of the United States had trouble accessing popular websites, such as Reddit, Netflix, and the New York Times. As reported in Wired Magazine, the disruption was the result of multiple distributed denial of service (DDoS) attacks against a single organization: Dyn, a New Hampshire-based Internet infrastructure company. DDoS attacks can be extremely disruptive, and they are on the rise. The Verisign Distributed Denial of Service Trends...

Read More
Flow Analytics for Cyber Situational Awareness

Flow Analytics for Cyber Situational Awareness

• SEI Blog
Sid Faber

It's the holiday season, a traditionally busy time for many data centers as online shopping surges and many of the staff take vacations. When you see abnormal traffic patterns and overall volume starts to rise, what is the best way to determine the cause? People could be drawn to your business, and you will soon need to add surge capacity, or maybe you are in the beginnings of a denial-of-service attack and need to contact...

Read More