Cyber Situational Awareness
Cyber security is a major priority for the federal government and the term “situational awareness” has become synonymous with the means to this end. Urgency around situational awareness for cyberspace has grown with respect to national defense, intelligence, homeland security, and full spectrum information operations. It has even started to take root in the private sector. Corporations continue to expand globally and push infrastructure and critical assets into the ‘cloud,’ becoming more and more reliant upon the public Internet for day-to-day business operations. While this evolution continues, organizations are experiencing a growing number of incidents and losses resulting from external actors. Therefore, awareness of external threats, external dependencies, and internal architecture and all associated threats seems to be a natural progression.
Cyber situational awareness requires an all-encompassing approach to threat understanding, analysis, and risk assessment. Internet intelligence, enterprise intelligence, and threat intelligence all play a significant role. Definitions are in order, as industry has not standardized the meaning to these terms. Internet intelligence includes understanding the logical and physical landscape of global Internet assets most critical to the business; enterprise intelligence describes the landscape and activities occurring within the enterprise perimeter; threat intelligence is applied to all activities that could adversely impact operations, whether they are inside or outside the traditional perimeter. This is a departure from the traditional enterprise/perimeter-centric philosophy of security. Some professionals, especially in the private sector, are hesitant to embrace this philosophy, possibly because they have not yet given the idea much thought, while others seem to be completely against adopting the capabilities required for situational awareness because they believe the responsibility lies squarely with the government and with their service providers.
A growing number across the private and public sectors seem to understand the concept, see its current value, and foresee its future trajectory. These industry thought leaders are recognizing the same challenges the government has faced for years, adding credible evidence that the status quo security solutions are not working in the increasingly distributed, complex environment that is ‘cyberspace’ to many organizations today. The challenges these individuals and organizations face include an overload of security data and sources, a shortfall in analytic capabilities, limited visibility to external threats and the ways they impact internal operations and infrastructure, and limited data correlation, fusion, and visualization tools. Resisting the adoption of a solid situational awareness approach that includes Internet situational awareness results in placing a great deal of inherent trust in all that occurs beyond the boundary of the enterprise. As all risk management processes are quick to point out, risks that go unidentified and unmanaged are risks that have been unknowingly accepted. To avoid the default acceptance of those risks, organizations need to take the initiative to understand connectivity dependencies, the information supply chain, and the risks and vulnerabilities to each of those capabilities and services that have presence outside their perimeter. Once this is achieved, the end result is a comprehensive view of the enterprise security posture, the current state of the enterprise service providers, partners, customers, supporting infrastructure, and any external threats which could impact operations. Now how does one get there?
The enterprise must take inventory of what it knows. Institutions in the financial services sector, those who have significant ‘skin in the game’ with respect to global cyber threat activities, are now starting to field ‘Threat Intelligence’ cells to acquire deep insight as to the overall threat posed to them from external actors. These cells are tasked with identifying threat feeds already accessible to the organization, tools and capabilities in-house that have any related functionality, and of course tools and data sources available from various vendors throughout industry. They are finding that the number of these data sets is large, and they are delivered in such a wide variety of formats that their existing capabilities do not support the fusion and visualization required to deliver actionable information and to coordinate response. For example, there may be five different vendors offering interesting botnet feeds, each of which has a different refresh rate, area of coverage, accuracy rating, and format type. Automation to merge and fuse these data sets into one that is most trusted is an obvious need. In addition to the fusion of the data set, a capability to present this information in a timely, clear, and actionable form is essential to take full advantage of the resources spent to acquire the data. A similar situation exists for each type of data feed being considered as a part of the situational awareness and threat assessment function, whether it be architectural information (border gateway protocol (BGP), traceroute, registrar, etc.), malware or malicious activity information (botnet, phishing, malware hosting, DDoS, BGP or DNS hi-jacking, etc.). The issues in dealing with these situational awareness challenges are the same ones that have tested government and defense intelligence agencies for years. It’s not a lack of data, but more of an overload of data and a lack of resources to make sense of it all in a timely fashion. The solution lies in a mix of business process and information supply chain awareness, expert analysis, and automation.
The enterprise cannot rely on internal expertise alone when exploring data sets that are most critical to the sustainability of the business. The new intelligence cells are reaching out and engaging with others in the industry through the Information Sharing and Analysis Centers (ISACs) and other data sharing venues. These centers serve as a community for industry partners, and even competitors, to share insights on threats and risk mitigation techniques. They also serve as a venue and/or test bed for government agencies that are charged with protecting critical infrastructure to develop processes and a means for alerting and reporting on active and known threats. These centers, especially in the financial industry, have demonstrated great interest in working together to thwart attacks and improve reaction and response by sharing address and location information of known attackers, bots, and URLs involved in phishing, malicious sites, etc. Government agencies have also expressed great interest in working with these organizations since it is a great way to connect to the industry as a whole.
This same focus and diligence should be applied to the data sources available from internal network security tools. Event correlation engines, compliance tools, vulnerability management systems, network scanning devices, inventory management, network routing and IDS/IPS systems all have a wealth of information that should be cross-correlated with the external threat profiles generated by a cyber situational platform. This correlation will provide the insight needed to understand how events going on outside the enterprise might impact networks that support business operations. The alerts and events resulting from these internal devices should be presented in a unified way with those occurring on the outside the enterprise.
Another important element involves folding in threats that are more of a physical nature such at natural disasters, power outages, terrorist attacks, violent protests, and other catastrophic events that impact critical communication infrastructure. These physical-to-logical threat and risk mappings take account of the network access points, switching and routing stations, transmission media, and other physical infrastructure that a business is reliant upon. With this knowledge the organization can monitor and predict the impact these events may have on the ability to operate within the extended (and hyper-extended) enterprise landscape.
Delivery of this information is key to the process and involves a platform that accepts a variety of related data sources and provides aggregation, some routine analysis, alerting, reporting, and operations center monitoring and visualization. It must be flexible, scalable and easy to integrate with existing compliance management, security event management, intrusion detection/prevention systems, and alerting tools. Cyber situational awareness is more than just a piecemeal aggregation of existing security tools, it is a well thought-out capability that in the end will provide a stronger security posture through advanced analysis and visualization, more comprehensive threat perspective, and more informed risk management. As cyber situational awareness evolves over time, the role of analysts will change from a reactive mode focused on post-event forensic analysis to more proactive, real-time analysis.
Just like anything worth doing, there is significant effort and expense involved in implementing cyber situational awareness. However, there certainly are efficiencies that will be realized when taking inventory and opportunities to consolidate feeds and/or tools. Improved response times and effectiveness of remediation actions will translate to a reduction of losses due to future security incidents. It is time to look to the future of cyber security, because protecting business and the clients’ interests to the fullest extent is just the right thing to do.