Recently, I attended an information security conference in which the term “situational awareness” was mentioned perhaps a hundred times in the course of an afternoon, by everyone from security analysts to chief information security officers. Listening to various conversations, these professionals were attributing capabilities to situational awareness that ranged from underwhelming (“it’s a pipe dream, doomed to failure”), to ridiculously over-wrought (“it will make human security analysts obsolete”).
The truth is somewhere in the middle. But more importantly, it’s time to get beyond the lip service and hype that’s been steadily growing around the term situational awareness and focus on what it really means for federal agencies and their partners.
The term situational awareness has long referred to the idea of “macro” visibility into complex systems, from air traffic control to battlefield command. But in the wake of recent cybersecurity attacks, the term now has a legitimate home in the world of information assurance.
Last year, Gen. Keith Alexander, Director of the National Security Agency and Commander of U.S. CYBERCOM, summed-up the value of situational awareness by stating, “We need real-time situational awareness in our networks… to see where something bad is happening and to take action there at that time.” That’s a great statement, but what exactly does it mean for information assurance professionals?
We certainly see what happens when an organization lacks situational awareness: extended discovery and disclosure times for major breaches like RSA, Sony, the CIA, the U.S. Senate, and many others. This happens not only with the externally-based “Anoymous” and “LulzSec” groups of the world, but also inside the organization, where Wikileaks has become the poster child for insider threats. When these types of attacks occur en masse, the verbal responses to date – including the Pentagon’s recent statement that they may consider such attacks acts of war, and may elect to respond with conventional weapons – are only going to clear out the casual attackers; die-hard, philosophically motivated attackers will still continue to exploit what are essentially weak systems.
Therein, of course, lies the problem: complex, distributed technology systems are by their very nature difficult to secure. Multiple operating systems, communication protocols, APIs, databases, COTS (commercial off the shelf products) and custom applications, middleware and other components of complex systems – coupled with the separation of data and business logic and multiple presentation tiers including web and mobile devices – have introduced countless vulnerabilities at all layers of the stack. Flaws in architecture, code, and third-party systems increase the burden on today’s security professionals at a seemingly logarithmic rate.
So what can be done to stem the tide of malicious attack?
While there’s no proverbial magic bullet, situational awareness can provide a powerful weapon in the arsenal of information assurance professionals. Expanding on Gen. Alexander’s statement, at its core situational awareness is about three things: visibility into all security related data (events, system configurations, network traffic, system performance, and more); correlation of that data to see how different aspects of security information are related; and using that intelligence to make well-informed, effective decisions in real-time.
Actually making it happen requires discipline, and a change in traditional security thinking.
First, we have to understand that the era of signature-based detection as the primary line of defense is over. Of course, I’m not suggesting that you go out and uninstall your IDS/IPS or anti-malware tools; these are still critical components of cyber defense. However, in today’s world, they only represent one vector of attack. Responding to advanced persistent threats (APTs) goes beyond what can be discovered by these tools alone.
Second, it means that no single tool – whether it’s an event-based product , such as log management or SIEM (security information and event management system), a configuration assessment tool, or a network traffic assessment tool (such as network behavior analysis or deep packet inspection) – can provide all of the visibility needed. Data from these tools is critical, but the data from these technologies must be shared in an integrated platform that provides correlation and allows them to work in concert with each other.
Finally, the organization needs the right governance model and personnel to analyze and respond to this information, including security operations (SOC) and incident response (CERT).
As security technologies improve, so will the degree of situational awareness they can provide. Many of us envision a time in the not-too-distant future when security tools will become predictive by looking at the most minute variations in “normal” behavior across all data, networks, and systems, and provide security analysts with immediate information on what systems to monitor right now, and which users to track.
But in the meantime, as we’ve seen in the past few weeks, no organization – from the intelligence community, to the legislative branch of the federal government, to large global system integrators – is exempt from attack. While it’s virtually impossible to prevent an attack from being waged, situational awareness can provide the real-time information needed to make sure those attacks don’t succeed by detecting and responding to these threats before data is breached, agencies are embarrassed and trust is compromised.