As human beings, we are continually looking for knowledge or information to help improve any situation. If we live or work in a crowded city, for example, we want to know which routes are best to avoid getting stuck in traffic. When we enter a restaurant or movie theater we look for the exits. And when a suspicious looking person enters the room, part of our mind automatically keeps track of him. This behavior is known as situational awareness, and it’s second nature to most of us.
But while such behavior often occurs in our everyday lives, it does not seem to carry over into artificial environments. We often click on things we shouldn’t, open files we don’t recognize, and connect devices to access points we are unfamiliar with. Many IT teams can’t even tell you what devices or applications are on your network or outline the current topology of the network, let alone identify external threat actors. They lack cyber situational awareness.
The US Army defines situational awareness as, “Knowledge and understanding of the current situation which promotes timely, relevant, and accurate assessment of friendly, enemy, and other operations within the battle space in order to facilitate decision making.”
Basically, it’s about getting the right information in enough time to allow you to make good, educated decisions. Now, if we apply that same idea to cybersecurity, it can be very simply stated as:
“At any point in time, I understand my Priorities, Risks, and Threats”
This means having the right information at your finger tips, pulled from the volumes of information your networks generate, to help you make better decisions about your current set of risks and threats.
Your CISO and team of security professionals are constantly dealing with a variety of challenges, such as meeting compliance regulations, tracking increases in threat volume and sophistication, understanding the growing market of vendor solutions, and managing chronically limited budgets.
But they must also be more than technologists and risk managers. Security has business ramifications, so your team must be able to frame the issues they are dealing with within short and long-term business objectives, have clear line-of-sight across the organization and technologies, and be able to establish policy and governance for everyone who touches your data.
Cybersecurity and situational awareness also needs to cross all levels of the organization, from the CEO and CFO on down. Each business or functional leader must be mandated to embed security into the core processes, business strategies, and initiatives that they own. Every leader must also have a role in understanding and assigning risk and assuming the weight of consequences.
To address these challenges, everyone needs to have a focus on organizational priorities, risks, and threats. Establishing cyber situational awareness as a core business value helps provides that focus.
To achieve cyber situational awareness, business leaders need to understand four key things:
Let’s walk through each of these in a bit more detail.
The primary objective is to understand your organization’s business mission, and then tie them to those processes and resources that exist to enable that mission. As you learn about and document these processes, you will begin to understand the type of data your company uses and generates, and how much the processes that use this data overlap with those of other teams. You will then need to prioritize data and systems, determine which have regulations tied to them, and compare your priorities with those teams that share these resources.
Take expense reporting for example. The process may include a user connecting over the Internet from a laptop to a web server to upload expenses. With that information, you now know that endpoint devices, the Internet, and edge firewall, and a web server are in play for this process. Of course, that web server also needs to talk to the database server, and the path to get there is through a router, switch, and another edge firewall. Now you know that all those assets are in play as well.
Now rinse and repeat for all the other critical processes within your organization.
I used to do internal penetration testing, and the way we typically broke into an organization was by exploiting an asset the company didn’t even know existed, that had not been patched in ages, and which had not been configured to company standards. We would usually exploit a publicly known vulnerability that would allow us to obtain the admin password to the device - which many a time was the same password for the domain admin - and then we would own the network. This wasn’t an anomaly. Virtually every network more than a couple of years old seemed to have a variety of vulnerable points of entry.
Which is why it’s very important to understand and catalog all the assets on your network, along with any vulnerabilities they may have. You will also need to know their profiles, such as: What OS and version is installed? What applications reside on those devices, and what data do they hold?
Once you have a good idea of the devices you own, you need to ensure they are securely configured and patched. Remember, the vast majority of exploits target publicly known vulnerabilities that are five or more years old. Next, you need prioritize all your critical vulnerabilities, which is why knowing your network infrastructure, including your topology and where and how your data flows, is critically important.
All devices are connected, which means we need to understand how they are connected, and to what. For example, a single vulnerable device may not seem to matter much at first because it doesn’t play a critical role. But once you understand where it fits in your network topology, you may see that it eventually accesses a critical device. So now, that vulnerability represents a much higher risk than you first thought. The trick, of course, is that tracking topologies is increasingly difficult to do because of the cloud, data virtualization, expanding numbers of remote sites, the escalating numbers and types of endpoint and IoT devices on your network, business partner connections, etc.
In spite of this, you still need to know your topology. Why? The biggest reason is that cybercriminals are already spending time and resources doing it so they can exploit the vulnerabilities in your system. Understanding how and where devices are connected, and how and where and what data flows through them will determine where your risks are, what policies need to be created, and what countermeasures you need to have in place.
You also need to document the various attack paths and threat vectors to your data. Do you have the proper security sensors placed in the right locations of your network to identify possible attack attempts against critical data? Ask, if you wanted to get in, how would you do it? Vulnerable devices? Email? Web servers? Make sure you address this question as you build out and segment your network.
Finally, you need to understand the threat actors that are targeting your organization. What are their capabilities? What are their tactics? What resources are most valuable to them? Threat actors can include:
The question you have to answer is, which of these are the most likely to be focused on stealing the data that resides in your network? You can get more information on threat actors in the blog: Threat Intelligence - Understanding Threat Actors.
It is essential that you understand your business. You need a good idea of its critical processes and data, identify cyber assets to know what OS and applications are installed, map your network architecture to understand data flows and possible blind spots, and identify threat actors to get an idea of how they will try to break in and what resources they are most interested in obtaining.
Knowing is half the battle. It will help you engineer as much risk and vulnerability out of your network as possible. It will also help you select those solutions that are most appropriate to protecting your unique environment. Just remember, to be the most effective, the security technologies you choose ought to be able to interact with your other enforcement points. This means developing holistic architectures and selecting open solutions that allow devices to interact, share intelligence, and respond to threats in a coordinated fashion anywhere across your extended network.